Shadow IT: Managing Hidden Risk Across Your Expanding Attack Surface

One study found that 65% of SaaS applications in use are unsanctioned. And 59% of IT professionals find SaaS sprawl challenging to manage. In other words, shadow IT risks are growing—but that’s just the tip of the iceberg when it comes to hidden risks across today’s expanding attack surface.

Missed software patches, outdated certificates, and stealth malware are some examples. Many security teams still struggle to keep their networks safe from ever-growing digital supply chains.

If not properly discovered, listed, and categorized as part of a comprehensive policy, unknown assets could increase exposure and affect the overall security posture of an organization. But there are cybersecurity strategies to prevent that.

In our guide titled “What’s Lurking in Your Environment? How Cyber Leaders Can Address Shadow IT & Hidden Risk” we provide you with a holistic understanding of hidden risks, and arm you with policy and strategy suggestions to protect your expanding digital footprint and infrastructure.

What’s more—we include our first-hand GRC perspective on shadow IT management. In this article, we share some insights into managing hidden risks, a topic that keeps many security teams on their toes every single day.

What is shadow IT and what does it look like?

Shadow IT is any hardware, software, or cloud application that your employees use without the knowledge and approval of your IT and security teams. While none of these technologies is inherently unsecure, they nevertheless add risk to your digital ecosystem when they aren’t protected by your security programs and controls.

Shadow IT may pop up in your digital ecosystem in lots of large and small ways.

• Messaging apps. Employees often communicate on corporate devices using the apps they are most familiar with: WhatsApp, Slack, Facebook, Messenger, Signal, and Skype.
• Physical devices. From flash drives to smartphones and laptops, employees often work with personal devices when storing, transferring, or sharing sensitive business files.
• Cloud storage. Sites like Dropbox and Google Drive are highly popular with users looking to quickly share files with colleagues or to make files available for use when they’re outside the office.
• Efficiency apps. Employees frequently turn to apps like Trello, Asana, Airtable, Monday, and others in an effort to manage projects and work more efficiently.
• Email. Sending work files over personal email accounts is another way that shadow IT can creep into your IT environment. Communications. Users often rely on videoconferencing platforms like Zoom or related VOIP services that are not part of a secure communications platform.
• IoT devices. Smart connected devices like cameras, wireless printers, smart TVs, and virtual assistants are often subject to vulnerability exploitation and data exfiltration.
• Subnets. When networks are expanded through growth or merger, new routable subnets may be added to the digital ecosystem without the knowledge of IT.

What are the risks of Shadow IT?

1. Loss of control and visibility

As employees travel and work from remote locations, so does their data—with their own laptops, mobile phones, Wi-Fi connections, and personal accounts that weren’t properly vetted and sanctioned by the security team.

As a result, data that lives in the shadow supply chain can be difficult to control. Organizations can even lose access to cloud-based data in the event that an employee who owns the information leaves the company, a workstation is infected, or an account is hacked. Think of sharing work documents via personal Dropbox, Gmail, or WhatsApp accounts.

2. Expansion of the attack surface

Because you can’t manage what you can’t see, hidden risk increases the probability of suffering from a data breach, cyberattack, malware infection, or even engaging in unknown vendor relationships. Cloud accounts contain data and resources that can expose the organization to attacks when they’re misconfigured or subject to vulnerability exploitation.

This makes it critical to implement solutions to discover hidden assets and cloud instances, assess them, and bring them into line with corporate security policies. Monitoring the network for Shadow IT risks is the only way to increase visibility over these assets and build a comprehensive, up-to-date inventory so they can be hardened against cyberattacks.

3. Operational inefficiencies

Data may be stored and used in multiple locations across the network, creating silos that can affect data flow management, analysis, and reporting. Different teams could be using different tools for the same purpose.

If multiple versions of data exist in different unmapped locations, the IT team will struggle with duplicate processes, skewed reports, and challenges related to system capacity, architecture, security, and performance.

4. Increased costs

As part of routine checks, the IT security team may come across an unknown service, and they will have to decide whether or not to keep it. If the application has turned into a critical tool for any given project or team, the cost incurred by the organization to continue using it may be unjustified. This is quite common with SaaS applications for productivity and collaboration, or cloud storage.

5. Non-compliance

Rogue apps and services can make it challenging to maintain compliance, as network blind spots could turn into governance issues. In industries subject to cyber regulations such as the SEC requirements, or DORA and NIS 2 in the EU, Shadow IT creates additional audit points, where wrongful data management from a third-party could incur costly lawsuits or fines for noncompliance.

As part of an always up-to-date inventory, organizations must monitor the security and compliance posture of cloud assets in use across the entire supply chain.

Why does it happen?

Unlike cyberattacks, the motivations behind the use of shadow IT are usually not malicious. Typically, shadow IT arises for one of three reasons.

• Lack of awareness or concern

Most employees don’t set out to foil security teams by adopting shadow IT technologies. In most cases, they’re simply trying to work more efficiently, get their jobs done, and move the business forward in the best way they know how. In their personal lives, they’re quite accustomed to simply trying or adopting a variety of new apps and services, even more so now with the array of AI-based tools—and they may not realize how dangerous the use of these solutions can be in a work environment.

• Urgent needs

Employees may adopt shadow IT when they have an urgent need and don’t feel they can wait for IT approval. Or they may feel frustrated with IT approval processes that seem too restrictive. In these cases, employees tend to feel the value of efficiently solving their business problem outweighs what they may perceive as “minor” security concerns.

• Business developments

With mergers and acquisitions, it’s easy for IT systems inherited by a parent company to be overlooked in an IT audit. Even significant cloud instances can be missed when adding a subsidiary that has offices all over the world.

Shadow IT Cybersecurity: Reducing Technology Gaps

Organizations can embrace shadow IT. If a certain solution or cloud-based app is needed by multiple users, and as long as the benefits of introducing it outweigh the associated risks, it can present opportunities for strategic guidance.

When employees bypass cybersecurity protocols, they’re not actively trying to create risk—they usually want to get their work done easier or test a new tool. Shadow IT is often the result of trying to achieve greater productivity and agility. Yet, it increases exposure to risk, may violate regulatory compliance standards, and creates cost overruns.

The strategy to combat hidden risk, then, is twofold:

• Process-wise, it’s about developing policies and procedures for employees to safely add new technology to the network.
• Technology-wise, it’s about implementing solutions and capabilities to automatically detect unsanctioned apps and take necessary action.

Here are a few things you can do to reduce the need for shadow IT—and the hidden risk that comes with it.

1. Communicate and collaborate. Enable easy, convenient, and effective communication between technical departments and users, in order to understand the true needs, experience, and feedback on existing and required technologies.
    
2. Educate and train. Inform users about the risks associated with unsanctioned technologies and how the security team can assist in fulfilling requirements without having to bypass the standard governance protocols.
    
3. Streamline governance. Facilitate innovation through a process of identifying, vetting, and provisioning technology at a rapid pace. Balance policy enforcement with the flexibility to evolve and respond to changing needs of end-users.
    
4. Continuously monitor your network to discover hidden risks. Deploy solutions to monitor anomalous network activities, discover unknown vendors, unexpected purchases, data and workload migrations, IT usage patterns, and other indicators of shadow IT practices—and bring them into line with your security policies. Proactive discovery can allow organizations to mitigate the risks faster.
    
5. Assess and mitigate the risks. Not all hidden risks pose the same threat. Continuous assessment of technologies in use at the workplace can allow organizations to strategize risk mitigation activities based on the risk-sensitivity of every shadow IT offense.

The key to minimizing unknown, hidden risks is to continuously educate your employees, monitor your digital ecosystem for signs of undetected activity, and mitigate shadow IT risks by bringing them under your security controls. With tools from Bitsight, your security teams can rest a little easier knowing that shadow IT doesn’t have to be an unknown, lurking security concern.